Simple encryption proposal. Comments ?
Bengt Richter
bokr at oz.net
Tue Dec 31 06:35:26 EST 2002
On 30 Dec 2002 07:13:02 -0800, Paul Rubin <phr-n2002b at NOSPAMnightsong.com> wrote:
>"Thomas Weholt" <2002 at weholt.org> writes:
>> Hm .... are you saying I'm better off using rotor? My first attempts used
>> rotor, but storing rotor-encrypted data in values of HTTP-cookies didn't
>> work very good, since cookie-values must be in the
>> string.lowercase+string.uppercase+'0123456789'-range ( in addition to the
>> normal ,.-_ etc. characters ). Rotor produced alot of unprintable data. If I
>> didn't mess it up somewhere that is.
>
>- Don't use rotor; it is not secure.
>
>- Also, don't use SmartCookie, since it uses pickling and malicious
>incoming cookies can potentially take over your server.
>
>- Just about any encryption scheme is going to result in unprintable
> characters that you'll then have to encode printably. I'm not sure
> whether base64 characters are all permissible in cookies. I think
> they are. Otherwise you may have to find some substitutions.
Re encoding (not encrypting) binary, I've used a base52 encoding to guarantee
only [A-Za-z] characters in the encoded string, so it can't screw up in a
context where they might become symbols or shouldn't possibly look like bad
numbers. One or a pair of binary bytes becomes 3 base52 characters.
Because 52**3 > 2**17:
>>> 52**3, 2**17
(140608, 131072)
there is room for two bytes plus a flag bit to say whether there's really
two bytes encoded. It's a 50% expansion from clear, but it's simple and
doesn't have to buffer more than two characters to produce the output.
It preserves byte order of a byte sequence, so endianness should be dealt
with separately, if using with something that gets bytes from chunks.
Regards,
Bengt Richter
More information about the Python-list
mailing list